It’s All YOUR Fault!

Riverbank Ruminations; Observations from The Banks of The Technology River

Tom Evans ~  Ashton Engineer Emeritus

When things go wrong, this may be the sequence of events:

• Search for the guilty
• Punishment of the innocent
• Praise for the uninvolved

You may recognize those steps as the last three of six phases of project implementation that were popularized in the ‘’70s. Too often when there is a problem there seems to be a need to place blame. This results in an atmosphere where someone makes a mistake and rather than owning up to it, they try to cover it up. More productive environments encourage mistakes to be brought to light, remediated, and then followed up by training to prevent recurrence. When it comes to computer security there are plenty of opportunities to make a mistake.

Most businesses understand the need for security. If you need convincing see this article which stated that “Publicly reported global breach volumes dropped 48% last year compared to 2019, but the number of exposed records soared 141% to top 37 billion, according to new data from Risk Based Security.”

The article is titled “Human Error to Blame as Exposed Records Top 37 Billion in 2020”. People made mistakes that resulted in exposing data that should not have been made public. This resulted in businesses having to send out notifications, provide credit monitoring, face possible fines, and deal with a host of other expenses that hurt the bottom line. The article also stated that “External actors accounted for 77% of breaches, and of those caused by insiders, the vast majority (69%) were down to human error or oversight. The use of stolen credentials was the number one confirmed method of entry for attackers.

It is no secret that credentials are stolen via phishing, vishing, and smishing attacks. If you don’t know what those all are, you need to get educated. Your end-users are the targets of those attacks but your network and your data are the prizes the bad guys are after. So, if your network gets compromised, do you blame the end-user? Did you give your end-users the training they needed to be able to detect these attacks? Are they aware of how these attacks are changing with time? Are you? The old saying is “Forewarned is forearmed”.  Conversely, ignorance is not bliss. Rather, it is an invitation to get attacked and compromised.

I am a big fan of security awareness training. Probably because I love putting on classes. Most end-users just want to do their work and get things done. They don’t have time to read about all the varieties of attacks that are out there and how to detect them. That’s where training comes in. I always find it interesting to see the reactions of end-users when these attacks are described and they are shown how to detect them.

As time passes and more sophisticated attacks move down the food chain, end-users are on the receiving end of attacks that are much more difficult to detect. This article offers a reason why attacks are getting worse.

“Cybercrime remains a lucrative business. Criminal gangs extort millions of dollars from their victims and in addition to funding lavish lifestyles for the members, provide ample budget for developing powerful hacking tools and purchasing zero-day exploits. Against such sophisticated threats, the vast majority of defenders don’t stand a chance.”

Small businesses and even larger enterprises are not going to be able to match the budget the bad guys have. Fortunately, most businesses will not be the target of the well funded criminal. However, as time passes, the tools the top-level criminals develop become available to the lower level criminals and thus become more widespread. This means more sophisticated attacks will be seen by everyone. It also means that training, while important, may be insufficient.

Some examples of the sophistication that is being used in attacks can be found in this article which discusses four attacks that were found by using an AI-powered email security tool. During training, I always emphasize the idea of looking at the link before you click. Simple but effective, most of the time. One attack mentioned in the article utilized this URL

https://t.e.vailresorts[.]com/r/id=hda0e43a,3501a2a,3501f68&VRI v73=Y3dlbGNoQgzvdXJoyW5kcy5jb20=&cmpid=EML SNOWALRT OTHR 000 NW 00 00000 00000 00000 20 200110 v01&p1==www.snow[.]com%40s-ay[.]xyz

Simple URL inspection might not work here. While vailresorts.com is a valid URL (as of 1/25/21, but NOT HTTPS !!), and the apparent redirect to snow.com is valid as they are a partner with Vail,  that is not the actual destination. The p1 parameter at the very end sends the person to the real destination at the XYZ domain. It would take an alert user to detect this.

The article goes on to discuss some other attacks that would be difficult for an end-user to detect. If this trend continues (as it most likely will), businesses will need to get much more aggressive with security. Training will still be beneficial since there will always be easily detected attacks. Policies about computer usage will help. Understanding what attacks are happening and how to defend against them will require more effort on the part of the business. Proper firewall configuration can help if a compromise happens. Businesses will have to decide if they can afford more sophisticated defenses. Users can only do so much on their own. Working from home has expanded the attack surface for all businesses. Security events put many businesses out of business each year. Don’t let yours be one of them. If you don’t take precautions, it will be your fault.

To learn more about security training for your team, or to add the proper security measures to your network, call Ashton Technology Solutions at 216 397-4080.